techniques for risk-based auditing

21/1/2011 European Court of Auditors Chamber IV

Techniques for risk-based auditingDG INFSO-02 Freddy Dezeure - Charles Macmillan

Background DG INFSO

European Commission department

European Digital Agenda

Co-funding of cost of research projects: 1,5 bio€ per year

FP6, FP7, eTEN, CIP: > 7000 beneficiaries, >2000 projects

Financial audits - 200 per year

Selection of auditees

Assurance audits -> error 4%

P1

P1

Major sources of errors

Excessive overheads

Claimed salary cost not actual

Representative error rate

Risk-based auditing

Risk of intentional inflation of cost

Assessment of the organisation as a whole

Data mining – new tools and methods

Audit programme specific to the risk (ISA240 - ISA315)

CM

Data gathering

Risk assessment

Define approach

Field work

Assess next steps

Finalise

Data gatheringRisk

assessment

Data Gathering phase

Scope from risk assessment – continually reassessed

Collect available information from internal and external sources

Check for indicators and inconsistencies

Outcomes define specific audit procedures

Use and find new Indicators

Feed into control systems

Internal Sources

Project documents: proposal, description of work, deliverables, reports, reviews, emails, cost claims

Experts Database

Organisations Database

Open Sources

People Companies Communications

Google, BingGoogle Scholar, Microsoft AcademicMicrosoft EntityCubeLinkedIn, Zoominfo123People, Yasni, PIPLGoogle Magic Wheel, Timeline

Google, BingCompany registriesGoogle Maps Google Streetview

Google, BingInfobelIxquickUKPhonebookDomaintoolsDomaincrawlerRobtexWayback Machine

Find the right person

Find all the relevant information about the person

Avoid noise

Finding people

“Fake” People - Examples

Non-existent people

Existing, but

not relevant

not employed

not aware of project

People in multiple roles / companies / projects

Neuron – partner in BRAIN

Neuron: Key staff

• DoW Description

• Computer Science degree

• Experienced ICT researcher

• etc

Neuron – Key staff

Neuron – Key staff

Indicators

Not found on internet

Top management of company

Always the same names

Listed for different companies in different projects

Listed in a different country from the company

CV on LinkedIn contradicts submission

Anonymous email address (gmail, ...)

GSM phone only

Finding companies

Find the right company

Find all the relevant information about the company

Avoid noise

Even simple tools can help

34

Earth Match – partner in SOLARSYS

www.emsoft.com

34

Earth Match – partner in SOLARSYS

www.earthmatch.com.mt

www.cabbage.com

ONION – partner in VEGETABLE

32

• Does the website exist?

• Does the project fit the company’s core activities?

• Does the website give contact information - and does it match the official transmission documents?

• Is the website registered by the partner?

32

Company website

33

• Company registration websites

http://www.rba.co.uk/sources/registers.htm

• http://www.infobel.com/, http://www.ixquick.com/

– Cross-check the phone number with yellow/white pages

– Reverse search on the phone number

33

Company registry, phone/fax

33

• Website registration

http://www.domaintools.com/

http://www.robtex.com/dns/

• Archive

http://www.waybackmachine.org/

http://www.archive.org/web/web.php

33

Company website, history

44

• Search for company in Google

– Not reassuring if nothing found

• Translation tools

– http://translate.google.com

– http://babelfish.yahoo.com/

44

Tools - internet search

45

HOUR – partner in TIME

• Email address not <-> company domain

• Phone number = fax number

• Phone number = gsm number

• Website registered by another company

• Website or phone numbers in another country

• Corporate website without contact coordinates, “under construction”

Indicators

FD

Data Gathering Outcomes

Organisation

Cannot (financially)

Cannot (operationally)

Can do / have not

Staff

Have not done

Have done, cost inflated

Have done, cost ineligible

Outcome - Audit Procedures

Cannot (financial)

Find other income source

Check commercial agreements with others...

Cannot (operational)

Find who could have done the work

Verify working agreements / CVs / job descriptions...

Risk-based audits -> error 30%

Impact on DG INFSO

Huge effort in administrative follow-up

Litigation (EDPS, Ombudsman, TPI, ECJ)

Impossibility to recover funds

Waste of budget - impact on genuine participants

Reputation damage

Perception

Challenge

Detect problems early in the project life-cycle (PO)

Link data gathering/risk-assessment/audit programme

Manage exceptions well

Implementation of audits

Residual error

AuditedError = 0

ExtrapolatedError = non-systematic

UntouchedError = representative

Selectiveness

FacilitateSimplify

Trust

DetectCorrectPrevent